There are a lot of components of Windows 10 that we, as users, are not “allowed” to modify. It isn’t even enough when we find a way to do so, such as by disabling services or scheduled tasks by using command prompt running under the system account. This is because when you next install updates, those settings are often reset. There are also background tasks and services intended specifically for “healing” tasks, which is a pretty friendly way to describe a trojan downloader.
One common way to “assert” control is using the registry and the Image File Execution Options key, found as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
By adding a Key here with the name of the executable, one can add additional execution options. The one of importance here is a string value called debugger. When you add a debugger value, Windows will basically not start the executable and will instead launch the executable listed for the “debugger” value, with the executable that was being run as a parameter.
We can use this for two purposes. The most obvious is that we can simply swap in an executable that does nothing at all, and basically prevent any executable from running. For example, if we add “C:\Windows\System32\systray.exe” as the debugger value for an executable, when the executable in question is run, instead the systray.exe stub will run, do nothing, and exit, and the executable that was being launched will not. As a quick aside- systray.exe is a stub that doesn’t actually do anything- it used to have built-in notifications icons for Windows 9x, and it remains because some software would actually check if that file existed to know whether it was running on Windows 95 or later.
The second way we can use it is to instead insert our own executable as the debugger value. Then we can log and record each invocation of any redirected program. I wanted to record the invocations of some built-in Windows executables I had disabled, so I created a simple stub program for this purpose:
IFEOSettings.cs
1 2 3 4 5 6 7 8 9 10 11 12 |
using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; namespace IFEOStub { public class IFEOSettings { public String OutputPath = "C:\\IMEO_Logs"; } } |
I Decided to separate the settings for future editing. For my usage, I just have it hard-coded to C:\\IMEO_Logs right now and create the folder beforehand. The bulk of the program of course is the entry point class:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 |
Using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Windows.Forms; namespace IFEOStub { static class Program { public static IFEOSettings _Settings; [STAThread] static void Main(String[] args) { _Settings = new IFEOSettings(); //firstly we get the executable being launched. if (args.Length < 1) { //show configuration User Interface if ever added. return; } String sLaunchEXE = Path.GetFileNameWithoutExtension(args[0]); String LaunchDir = Path.GetDirectoryName(args[0]); String sLogFolder = Path.Combine(_Settings.OutputPath, sLaunchEXE); if(!Directory.Exists(sLogFolder)) { Directory.CreateDirectory(sLogFolder); } String sLogFile = Path.Combine(sLogFolder, "runlog.txt"); String sCurrentStamp = DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss-ffffff"); StringBuilder sWriteLine = new StringBuilder(); sWriteLine.Append(sCurrentStamp); sWriteLine.Append(">> "); sWriteLine.Append("Path:" + LaunchDir + ", Arguments= "); for(int i=1;i<args.Length;i++) { sWriteLine.Append(args[i] + " "); } using (StreamWriter sw = new StreamWriter(new FileStream(sLogFile, FileMode.Append))) { sw.WriteLine(sWriteLine); } } } } |
I’ve used this for a few weeks by manually altering the Image File Execution Options to change my existing settings that redirected some executables (compattelrunner.exe, wsqmcons.exe, and a number of others) to systray.exe to instead redirect to this program- It then logs all the attempts to invoke that executable alongside details like the arguments that were passed in.
Have something to say about this post? Comment!